Security
TAPSIGNER Security Model
What the card isolates, what a companion wallet must do correctly, and what changes when the encrypted XPRV is recovered.
TAPSIGNER keeps a BIP-32 signing key on a separate NFC card and requires authenticated physical interaction for signing. Its security also depends on certificate-checking software, the companion wallet's transaction display, PIN custody, encrypted-backup separation, wallet-configuration backups, and a controlled recovery environment. The card has no screen.
Assets and trust boundaries
The main secret is the BIP-32 master XPRV created during setup. Normal use derives keys and signatures on the card rather than placing the unencrypted XPRV in phone storage. The companion wallet holds public wallet data, constructs transactions, selects paths, and shows the user what it claims will be signed.
A second secret path exists for recovery: the card can export the XPRV inside an encrypted backup file. The fixed AES key printed on the card decrypts that file outside the card. Any security explanation must account for both normal signing and recovery.
Key setup and chain-code verification
A new TAPSIGNER ships without a wallet private key. The application provides a 32-byte chain code, and the card picks a new random key pair using its internal TRNG. The resulting BIP-32 node uses both the secret private key and supplied chain code.
The application should confirm that the XPUB returned by TAPSIGNER contains the chain code it supplied. This check helps detect a card or implementation that ignored the wallet's contribution. It does not prove that every device component and wallet display is free from defects.
Factory certificate
Each card has a key certified through Coinkite's factory certificate chain. The official protocol guidance says applications should verify that certificate before trusting card data; otherwise a cloned or emulated card can deceive users.
A simple NFC tap opens a dynamic signed verification URL, but that browser flow is not the same as every direct protocol check. Use a compatible wallet that verifies the factory certificate during setup and critical operations.
CVC/PIN and NFC session
Protected commands use the current CVC/PIN through an ephemeral ECDH-derived session. The factory CVC can be replaced, after at least one backup, with a numeric value from 6 to 32 digits. Three immediate incorrect attempts are allowed before a 15-second enforced delay applies between further attempts.
A changed PIN helps if someone obtains the physical card but not the PIN. It cannot be reset if forgotten, and it cannot protect against a user approving a malicious wallet request. Keep it separate from the card and use recovery material rather than guessing indefinitely.
Backup security
The backup file contains the master XPRV and current derivation path, encrypted with AES-128-CTR under the fixed 128-bit key printed on the card. The companion should save encrypted bytes without asking for the printed key.
| Exposure | Result |
|---|---|
| Card alone, changed PIN unknown | Attacker faces PIN authentication and rate limiting |
| Encrypted backup file alone | XPRV remains encrypted, assuming key and cryptography stay uncompromised |
| Printed AES key alone | No XPRV without a matching backup file |
| Backup file + printed AES key | XPRV can be decrypted without the card or working PIN |
| Decrypted XPRV | Full descendant signing authority for that master key |
Separate the file and copied key, preserve the wallet descriptor, and move funds if joint exposure is suspected. Recovery has no restore-to-card command and should be treated as a transition to a new security state.
Screenless signing boundary
TAPSIGNER receives a digest to sign. It cannot display the destination address, amount, fee, inputs, change, or wallet policy. A compromised companion can show one transaction and request a signature for another.
Mitigations include verified wallet releases, independent address checks, review of the finalized transaction before broadcast, small test transactions, and multisig with a display-equipped cosigner when appropriate. None gives TAPSIGNER an onboard display it does not have.
Threats, controls, and limits
| Threat | Control | Limit |
|---|---|---|
| Phone storage compromise | Master XPRV remains on separate card during normal signing | Malicious wallet can still request unintended signatures |
| Counterfeit/emulated card | Factory-certificate verification | Requires an integration that performs the check |
| Silent NFC use | PIN authentication and encrypted command session | PIN exposure or user-approved malicious requests remain risks |
| PIN guessing | Delay after three failed attempts | No destructive wipe; weak PIN and prolonged access remain concerns |
| Card loss | Encrypted XPRV backup + separate printed key copy | Also requires correct path and wallet configuration |
| Backup theft | Separate storage of encrypted file and AES key | Joint exposure reveals XPRV |
| Wrong receive address | Descriptor/path verification in another trusted environment | Card has no display for independent confirmation |
| Lost multisig policy | Descriptor/configuration backups | Private keys alone may not identify the exact wallet |
What TAPSIGNER does not protect
It does not protect stablecoins, altcoins, exchange balances, or a phone that lies about a Bitcoin transaction. It is not a BIP-39 seed device, secure display, tamper-proof vault, or guarantee that every third-party wallet follows protocol best practices.
Use a display-equipped hardware signer for a threat model requiring independent on-device review. Use SATSCARD for bearer transfer rather than repeated signing. For TAPSIGNER, complete backup and recovery, understand screenless signing, and choose a verified companion wallet.
Official sources
Protocol claims on this page were checked against these first-party sources on 2026-07-10.